Authentication

Flow API uses API key authentication. All requests to the /v1/* endpoints require a valid API key.

Getting Your API Key

Your API key format:

flow_sk_live_<prefix>_<secret>

Include your API key in the Authorization header of every request:

curl https://api.flow.dev/v1/channels \
  -H "Authorization: Bearer flow_sk_live_abc12345_xyz789..."

The SDKs handle authentication automatically:

TypeScript:

import { Flow } from '@flowdev/sdk';

const flow = new Flow('flow_sk_live_abc12345_xyz789...');

Python:

from flow_sdk import Flow

flow = Flow(api_key='flow_sk_live_abc12345_xyz789...')

Go:

import "github.com/flowdev/go-sdk"

client := flow.NewClient("flow_sk_live_abc12345_xyz789...")

API keys can have specific permissions:

When creating an API key, you can specify which permissions it should have. By default, new keys have all permissions.

Never commit API keys to version control
- Use environment variables
- Use secret management tools
Use different keys for different environments
- Production keys
- Development keys
- Testing keys
Rotate keys regularly
- Delete unused keys
- Create new keys periodically
Use the least privilege principle
- Only grant necessary permissions
- Create separate keys for different use cases
Monitor key usage
- Check the API key usage in your dashboard
- Set up alerts for unusual activity

{
  "error": {
    "type": "authentication_error",
    "message": "Invalid API key",
    "code": "INVALID_API_KEY"
  }
}

Status Code: 401 Unauthorized

{
  "error": {
    "type": "authentication_error",
    "message": "API key required",
    "code": "MISSING_API_KEY"
  }
}

Status Code: 401 Unauthorized

{
  "error": {
    "type": "authorization_error",
    "message": "Insufficient permissions",
    "code": "INSUFFICIENT_PERMISSIONS"
  }
}

Status Code: 403 Forbidden

You can test your API key with a simple request:

curl https://api.flow.dev/v1/health \
  -H "Authorization: Bearer flow_sk_live_..."

A successful response confirms your API key is valid.